1. Answers
  2. How To Create A Private AWS EKS Cluster?

How to Create a Private AWS EKS Cluster?

Introduction

In this guide, we will create a private Amazon Elastic Kubernetes Service (EKS) cluster using Pulumi in TypeScript. Amazon EKS is a managed Kubernetes service that makes it easy to run Kubernetes on AWS without needing to install and operate your own Kubernetes control plane or nodes. By creating a private EKS cluster, we ensure that the cluster is not accessible from the public internet, enhancing the security of our infrastructure.

The key services involved in this solution are:

  • Amazon VPC: A virtual private cloud to host our EKS cluster.
  • Amazon EKS: The managed Kubernetes service.
  • Amazon EC2: Virtual machines to serve as worker nodes for the EKS cluster.
  • AWS IAM: Identity and Access Management to manage permissions and roles.

Step-by-Step Explanation

Step 1: Set up the Pulumi project

First, we need to set up a new Pulumi project. Initialize a new Pulumi project using the following command:

pulumi new aws-typescript

This will create a new Pulumi project with the necessary configuration files.

Step 2: Create a VPC

We need to create a new VPC to host our EKS cluster. This VPC will have private subnets where our EKS nodes will be deployed.

Step 3: Create IAM roles

Create the necessary IAM roles for the EKS cluster and worker nodes. These roles will have the required permissions to manage the cluster and its resources.

Step 4: Create the EKS cluster

Create the EKS cluster within the VPC. Ensure that the cluster is private by specifying the appropriate endpoint access settings.

Step 5: Create worker nodes

Create the EC2 instances that will serve as worker nodes for the EKS cluster. These instances will be deployed in the private subnets of the VPC.

Step 6: Configure kubectl

Configure kubectl to connect to the EKS cluster. This will allow you to manage the cluster using the Kubernetes command-line tool.

Key Points

  • Ensure that the VPC has private subnets to host the EKS nodes.
  • Create IAM roles with the necessary permissions for the EKS cluster and worker nodes.
  • Configure the EKS cluster to be private by setting the appropriate endpoint access settings.
  • Deploy the worker nodes in the private subnets of the VPC.
  • Use kubectl to manage the EKS cluster.

Conclusion

By following this guide, you have successfully created a private Amazon EKS cluster using Pulumi in TypeScript. This setup ensures that your EKS cluster is not accessible from the public internet, providing enhanced security for your Kubernetes workloads. You can now deploy and manage your applications on this private EKS cluster using Kubernetes.

Full Code Example

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

// Create a VPC
const vpc = new aws.ec2.Vpc("eks-vpc", {
    cidrBlock: "10.0.0.0/16",
    enableDnsHostnames: true,
    enableDnsSupport: true,
    tags: { Name: "eks-vpc" },
});

// Create subnets
const subnet1 = new aws.ec2.Subnet("eks-subnet-1", {
    vpcId: vpc.id,
    cidrBlock: "10.0.1.0/24",
    availabilityZone: "us-west-2a",
    tags: { Name: "eks-subnet-1" },
});

const subnet2 = new aws.ec2.Subnet("eks-subnet-2", {
    vpcId: vpc.id,
    cidrBlock: "10.0.2.0/24",
    availabilityZone: "us-west-2b",
    tags: { Name: "eks-subnet-2" },
});

// Create an IAM role for the EKS cluster
const eksRole = new aws.iam.Role("eksRole", {
    assumeRolePolicy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [{
            Action: "sts:AssumeRole",
            Effect: "Allow",
            Principal: {
                Service: "eks.amazonaws.com",
            },
        }],
    }),
});

new aws.iam.RolePolicyAttachment("eksRolePolicyAttachment", {
    role: eksRole.name,
    policyArn: "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy",
});

// Create an EKS cluster
const eksCluster = new aws.eks.Cluster("eks-cluster", {
    roleArn: eksRole.arn,
    vpcConfig: {
        subnetIds: [subnet1.id, subnet2.id],
        endpointPrivateAccess: true,
        endpointPublicAccess: false,
    },
    tags: { Name: "eks-cluster" },
});

// Create an IAM role for the worker nodes
const workerRole = new aws.iam.Role("workerRole", {
    assumeRolePolicy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [{
            Action: "sts:AssumeRole",
            Effect: "Allow",
            Principal: {
                Service: "ec2.amazonaws.com",
            },
        }],
    }),
});

new aws.iam.RolePolicyAttachment("workerNodePolicyAttachment", {
    role: workerRole.name,
    policyArn: "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
});

new aws.iam.RolePolicyAttachment("workerCniPolicyAttachment", {
    role: workerRole.name,
    policyArn: "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
});

new aws.iam.RolePolicyAttachment("workerRegistryPolicyAttachment", {
    role: workerRole.name,
    policyArn: "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
});

// Create a node group
const nodeGroup = new aws.eks.NodeGroup("eks-node-group", {
    clusterName: eksCluster.name,
    nodeRoleArn: workerRole.arn,
    subnetIds: [subnet1.id, subnet2.id],
    scalingConfig: {
        desiredSize: 2,
        maxSize: 3,
        minSize: 1,
    },
    tags: { Name: "eks-node-group" },
});

export const vpcId = vpc.id;
export const eksClusterName = eksCluster.name;
export const nodeGroupName = nodeGroup.id;

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up